| 01:31:42 | *** Mkop has quit IRC |
| 02:27:11 | *** Mkop has joined #openmrs |
| 02:27:11 | *** ChanServ sets mode: +v Mkop |
| 02:46:19 | *** mseaton has joined #openmrs |
| 02:46:19 | *** ChanServ sets mode: +v mseaton |
| 03:07:36 | *** LVW has joined #openmrs |
| 04:27:12 | *** djazayeri has quit IRC |
| 04:32:36 | *** mseaton has left #openmrs |
| 06:19:57 | *** matthewl has joined #openmrs |
| 06:21:44 | <matthewl> Evening everyone |
| 06:58:15 | *** matthewl has left #openmrs |
| 09:16:18 | *** lh has quit IRC |
| 09:26:09 | *** dkayiwa has joined #openmrs |
| 09:30:31 | *** Mkop1 has joined #openmrs |
| 09:30:31 | *** ChanServ sets mode: +v Mkop1 |
| 09:30:52 | *** Mkop has quit IRC |
| 10:48:14 | *** dkayiwa has quit IRC |
| 10:49:32 | *** rafa has joined #openmrs |
| 10:49:32 | *** ChanServ sets mode: +v rafa |
| 10:56:45 | *** rafa has quit IRC |
| 11:08:16 | *** yony258 has joined #openmrs |
| 11:09:02 | <yony258> Hi, how come the demonstration DB doesn't have any visit types but still have visits? (I thought that visitType can't be null) |
| 13:07:59 | *** Dilan has joined #openmrs |
| 13:16:34 | <Dilan> hi |
| 13:19:22 | *** mseaton has joined #openmrs |
| 13:19:22 | *** ChanServ sets mode: +v mseaton |
| 13:19:32 | *** mseaton has left #openmrs |
| 13:22:43 | *** Dilan has quit IRC |
| 13:23:28 | *** dilangamachchige has joined #openmrs |
| 13:29:49 | *** ss_ has joined #openmrs |
| 13:31:50 | <ss_> why |
| 13:36:17 | *** ss_ has quit IRC |
| 13:56:13 | *** mseaton has joined #openmrs |
| 13:56:13 | *** ChanServ sets mode: +v mseaton |
| 13:56:23 | *** mseaton has left #openmrs |
| 14:05:54 | *** Mkop1 has quit IRC |
| 14:06:01 | *** Mkop has joined #openmrs |
| 14:06:01 | *** ChanServ sets mode: +v Mkop |
| 14:12:57 | *** dilangamachchige has quit IRC |
| 14:19:37 | *** yony258 has quit IRC |
| 14:58:58 | *** LVW has quit IRC |
| 15:47:01 | *** k-joseph has joined #openmrs |
| 15:48:56 | *** rafa has joined #openmrs |
| 15:48:56 | *** ChanServ sets mode: +v rafa |
| 15:56:30 | *** dkayiwa has joined #openmrs |
| 15:57:25 | <k-joseph> dkayiwa: hi |
| 15:57:30 | <dkayiwa> k-joseph: hi |
| 16:00:27 | *** dkayiwa has quit IRC |
| 16:07:54 | *** robbyoconnor has quit IRC |
| 16:08:11 | *** rafa has quit IRC |
| 16:08:24 | *** robbyoconnor has joined #openmrs |
| 16:08:24 | *** ChanServ sets mode: +v robbyoconnor |
| 16:40:41 | *** k-joseph_ has joined #openmrs |
| 16:41:02 | <k-joseph_> \nick k-joseph |
| 16:41:29 | *** k-joseph has quit IRC |
| 16:41:50 | *** k-joseph_ is now known as k-joseph |
| 16:44:38 | *** dkayiwa has joined #openmrs |
| 16:48:10 | <k-joseph> dkayiwa: i think i have gotten something from the resource you recommended me to, am through with it and am looking forwad to resume, thanks alot |
| 16:48:30 | <dkayiwa> k-joseph: ok great |
| 16:48:55 | <dkayiwa> k-joseph: can you rewrite the other unit test and pastebin it to me? |
| 16:50:44 | <k-joseph> dkayiwa: please remind of what am to concider for that unit test! |
| 16:51:20 | <dkayiwa> k-joseph: combine the knowledget you have learnt from the document and the ticket required info |
| 16:51:29 | <dkayiwa> k-joseph: then send me what you think |
| 16:52:01 | <k-joseph> dkayiwa: ok |
| 16:55:09 | *** k-joseph_ has joined #openmrs |
| 16:58:38 | *** k-joseph has quit IRC |
| 16:59:38 | *** k-joseph_ has quit IRC |
| 17:02:04 | *** k-joseph_ has joined #openmrs |
| 17:02:39 | <k-joseph_> \nick k-joseph |
| 17:02:49 | *** k-joseph_ is now known as k-joseph |
| 17:11:10 | <k-joseph> dkayiwa: hi |
| 17:11:20 | <dkayiwa> k-joseph: hi |
| 17:11:29 | <k-joseph> dkayiwa: while focussing on the description of this ticket TRUNK-3751, i realise, i dont get the warning described, and in your comment you have this as first thing to be worked upon, then write a test for it, i know the test can be written first but am still not well versed with what am testing, may be i need further further enlightment,i will be glad to recieve your further assistance, thanks |
| 17:12:31 | <dkayiwa> k-joseph: the unit test can be there to prove that what is reported is not actually happening |
| 17:12:42 | <dkayiwa> k-joseph: by the unit test passing |
| 17:13:17 | <dkayiwa> k-joseph: so the test should be to test for the reported problem. if the unit test passes, then it means the problem was fixed |
| 17:13:26 | <dkayiwa> k-joseph: have i confused you even more? |
| 17:15:44 | *** k-joseph has quit IRC |
| 17:19:56 | *** k-joseph has joined #openmrs |
| 17:20:43 | <k-joseph> dkayiwa: hi |
| 17:20:51 | <dkayiwa> k-joseph: hi |
| 17:23:55 | <dkayiwa> dkayiwa: k-joseph: the unit test can be there to prove that what is reported is not actually happening |
| 17:23:55 | <dkayiwa> [8:45pm] dkayiwa: k-joseph: by the unit test passing |
| 17:23:56 | <dkayiwa> [8:46pm] dkayiwa: k-joseph: so the test should be to test for the reported problem. if the unit test passes, then it means the problem was fixed |
| 17:23:56 | <dkayiwa> [8:46pm] dkayiwa: k-joseph: have i confused you even more? |
| 17:28:18 | <dkayiwa> k-joseph: are you there? |
| 17:28:30 | <k-joseph> dkayiwa: yes, |
| 17:28:41 | <dkayiwa> k-joseph: why not respond to me? |
| 17:28:44 | <k-joseph> dkayiwa: not confusing |
| 17:29:00 | <dkayiwa> k-joseph: and why didn't you respond already? |
| 17:29:36 | <k-joseph> dkayiwa: ssorry, was much taken up by what you mearnt |
| 18:22:03 | *** rafa has joined #openmrs |
| 18:22:03 | *** ChanServ sets mode: +v rafa |
| 18:25:09 | *** Mkop has quit IRC |
| 18:26:54 | *** rafa has quit IRC |
| 19:02:23 | <k-joseph> dkayiwa: i have gone ahead and done what i have thought out for this testcase, i really need your extended assistance as far as this is concerned, my test case is failing the test |
| 19:02:54 | <k-joseph> dkayiwa: paste at http://pastebin.com/ujdpE8K8 |
| 19:02:58 | *** Mkop has joined #openmrs |
| 19:02:58 | *** ChanServ sets mode: +v Mkop |
| 19:09:32 | *** LVW has joined #openmrs |
| 19:20:43 | *** dkayiwa has quit IRC |
| 19:28:27 | *** k-joseph has quit IRC |
| 19:43:24 | *** djazayeri has joined #openmrs |
| 19:43:24 | *** ChanServ sets mode: +o djazayeri |
| 19:45:44 | *** k-joseph has joined #openmrs |
| 19:51:02 | *** k-joseph has quit IRC |
| 19:54:34 | *** k-joseph has joined #openmrs |
| 20:10:02 | *** k-joseph has quit IRC |
| 20:17:03 | <OpenMRSBot> Recent updates in the world of openmrs: OpenMRS Modules: Address Hierarchy 2.2.8 uploaded to OpenMRS Module Repository <https://modules.openmrs.org/modules/view.jsp?module=addresshierarchy&version=&2.2.8> || OpenMRS Modules: HTML Form Entry 2.0.3 uploaded to OpenMRS Module Repository <https://modules.openmrs.org/modules/view.jsp?module=htmlformentry&version=&2.0.3> |
| 21:34:51 | *** djazayeri has quit IRC |
| 21:43:00 | *** zorlak has joined #openmrs |
| 21:47:49 | *** LVW has quit IRC |
| 22:01:35 | *** djazayeri1 has joined #openmrs |
| 22:01:36 | *** ChanServ sets mode: +o djazayeri1 |
| 22:02:29 | *** tobin_g has joined #openmrs |
| 22:03:25 | <djazayeri1> Hi all, I'm on my phone for the next 20m so will be a slow typist |
| 22:03:56 | <djazayeri1> But happy to help the hack a thon |
| 22:12:14 | *** alden has joined #openmrs |
| 22:12:16 | <alden> hello |
| 22:13:24 | <djazayeri1> Hi |
| 22:22:29 | *** LVW has joined #openmrs |
| 22:51:40 | *** djazayeri has joined #openmrs |
| 22:51:40 | *** ChanServ sets mode: +o djazayeri |
| 22:52:30 | <djazayeri> Hi all, I'm at a physical keyboard now. Happy to answer any OpenMRS-related questions. |
| 22:52:32 | *** djazayeri1 has quit IRC |
| 22:54:34 | <Adian> Hello |
| 22:54:41 | <djazayeri> Hi |
| 22:54:53 | <Adian> We're mostly settled in here for some hacking |
| 22:55:19 | <Adian> so far we have lots of XSS, which I think you guys expected |
| 22:56:05 | <djazayeri> Yes indeed. |
| 23:04:11 | <djazayeri> Stepping away from the computer for a bit, but if anyone has questions, just mention my name. I have the volume turned up. :-) |
| 23:05:18 | *** kevin has joined #openmrs |
| 23:11:34 | *** matthewl has joined #openmrs |
| 23:11:47 | *** tobin_g has quit IRC |
| 23:12:24 | <Adian> no problem |
| 23:16:44 | *** alden has quit IRC |
| 23:24:19 | *** matthewl has left #openmrs |
| 23:26:39 | *** upul has joined #openmrs |
| 23:26:39 | *** ChanServ sets mode: +v upul |
| 23:29:54 | <zorlak> I'm analyzing source code with Findbugs. It's taking up a lot of resources so still waiting to hit the WebUI. |
| 23:34:29 | *** matthewl has joined #openmrs |
| 23:34:42 | <matthewl> Any OWASP folks in the room? |
| 23:37:21 | <djazayeri> matthewl: Adian is OWASP |
| 23:37:22 | <Adian> I'm here |
| 23:37:56 | <matthewl> Cool. Greetings |
| 23:38:05 | <Adian> howdy |
| 23:39:09 | <Adian> seems like there might be a potential for second-order SQLi in ConceptValidatorChangeSet.isNameUniqueInLocale |
| 23:39:41 | <Adian> and perhaps other places in that class. using hibernate's escapeSqlWildcards almost certainly only escapes wildcards |
| 23:40:38 | <Adian> not sure how likely it is that concept names could be malicious... |
| 23:40:48 | <Adian> previously stored ones, taht is |
| 23:41:40 | <Adian> djazayeri? |
| 23:42:58 | <djazayeri> Concepts are administrator-created. (Though administrator isn't necessarily superuser.) |
| 23:43:20 | <djazayeri> so it would be a low-priority, if an issue |
| 23:43:30 | <Adian> ok, so you'd have to have a lot of privs. makes sense |
| 23:43:50 | <Adian> easy to fix though, so i'll leave it as a non-vuln note |
| 23:44:25 | <djazayeri> Adian: and that method is only called the first time you upgrade from pre-1.7 to 1.7 (I think), so it's even lower-priority. |
| 23:44:39 | <djazayeri> Adian: so yeah, include it in notes! |
| 23:47:16 | <Adian> ok, good to know. that's the kind of stuff I could waste an hour figuring out (the fact that it is only used in a one-time upgrade, rather than every upgrade) |
| 23:47:40 | <Adian> besides the XSS, I've also observed some issues with session management |
| 23:48:10 | <Adian> tomcat likes to put the session ID in the url upon first assignment, which opens up possibilities for leaks (namely, referer header) |
| 23:48:22 | <Adian> that's something you j ust have to manually tell tomcat not to do |
| 23:48:30 | <matthewl> It also looks like the session ID does not get changed on login, rather log-off |
| 23:48:35 | <Adian> then perhaps more worrisome is session fixation |
| 23:48:37 | <Adian> yup, exactxly |
| 23:48:54 | <Adian> session fixation is a MitM-able condition |
| 23:50:32 | <matthewl> Running short on time, have to get back to studying, but I noticed what looks like a redirect issue. There is a redirect & refererURL parameters that get send when logging in. Anyone looked at that yet? |
| 23:51:29 | <Adian> I have not |
| 23:51:41 | <Adian> would be good to know if they allow redirect to arbitrary sites |
| 23:52:20 | <matthewl> My thoughts exactly. I'm going to poke at it for another 20-30 min then I'll have to finish my homework |
| 23:52:44 | *** mseaton has joined #openmrs |
| 23:52:44 | *** ChanServ sets mode: +v mseaton |
| 23:54:43 | <Adian> no prob. just be sure to submit any bug reports by 6p |
| 23:54:52 | <Adian> just email them to me |
| 23:55:26 | <matthewl> Cool. |
| 23:57:40 | *** mseaton has quit IRC |